Biometric template security

Biometric recognition (recognizing of individuals based on their anatomical or behavioral traits) is emerging as the mainstay of person authentication. This is primarily driven by the inherent reliability and convenience of biometric systems over traditional authentication mechanisms (such as passwords or tokens) that can be easily shared, guessed, lost, or stolen. However, the practical implementation raises a number of concerns: Will the acquired traits be used only for the stated purpose? Can someone impersonate a user by acquiring information about a biometric trait? Can someone circumvent or bypass the system?

A typical biometric recognition system operates by first storing the features extracted from a given trait (e.g., minutiae from fingerprint, iris code, etc.) as templates in the system's database and then matching the template features with those extracted from the biometric information presented during subsequent authentication attempts. Like any generic, electronic authentication system, a biometric system is also vulnerable to various system attacks that either exploit the system's nonsecure infrastructure (such as replay attack, denial of service attack, etc.) or administrative loopholes, also called insider attacks (see Figure 1). Additional vulnerabilities of a biometric system are related to the overt nature of the relevant information (e.g., your face is not a secret!) and limited liveness-detection capabilities of commonplace systems.² It is not difficult to create a spoof biometric from a biometric image or even a stored template and gain illegitimate access. These systems are also vulnerable to intrinsic failures (also known as zero-effort attacks), leading to incorrect authentication. This is due to the limited individuality and intraclass variations in biometric features. Efforts are underway by the research community to reduce such intrinsic errors by designing salient-feature detectors and robust matchers.

Figure 1. Architecture of a biometric-based authentication system indicating its major vulnerabilities and their four underlying causes.¹

Another major vulnerability that stems from the explicit storage of biometric data relates to the loss of user privacy.^3,4 Possible entities that can take advantage of this private information include overzealous and fallible government agencies that can easily track and control its citizens' activities using biometrics.⁴ Similarly, a corporate service provider, say, a medical-insurance company or an employment agency could deny services or employment to certain individuals based on information gained from the stored biometrics to either determine the person's health condition or illegitimately track his activities. Yet another threat to a user's privacy comes from attackers or criminals, who can compromise another system that has enrolled the same user using the stolen template. Therefore, it is important to protect the biometric templates stored in the system's database.

To effectively guard against vulnerabilities, a template-protection strategy should satisfy a number of requirements. First, the stored template should not reveal any data that can be replayed to the system for a successful match. In addition, it should be difficult for an adversary to guess or reverse engineer the original biometric trait or any close replica from the stored data. Second, given multiple systems using the same biometric information, an adversary should not be able to link templates corresponding to the same individual. If the stored data is compromised, it should be possible to revoke the template and re-issue a new one (similar to resetting a password or personal identification number). Finally, it should not lead to any significant degradation in the system's matching performance (i.e., increase the error rate).

A number of approaches have been proposed to protect the stored template. Hardware-based solutions use smartcards or stand-alone biometric system-on-devices (see Figure 2). Software-based solutions include feature transformation and biometric cryptosystems. Common encryption techniques, such as advanced encryption standard (AES) or RSA (named after Rivest, Shamir, and Adleman, who first published the approach) cannot be used because of intraclass variations in the biometric templates (see Figure 3).

Figure 2. Hand-held secure fingerprint-authentication system, Privaris PlusID.⁵ Upon scanning a finger and matching it with the template stored on the module, it releases a secure key that can be used for authentication. While this technology is useful in applications requiring only the positive verification of a user's identity claim (e.g., a bank's automatic teller machine), it cannot be used in screening applications that require identification of a user without any explicit identity claim (e.g., Federal Bureau of Investigation fingerprint databases are used to identify latent fingerprints left at crime scenes). (Courtesy http://www.privaris.com.)

Figure 3. Two different impressions of the same finger showing significant intraclass variations. Only a subset of the minutiae (marked with blue lines) in the two impressions match.

A feature-transform-based approach essentially introduces diversity into the template by transforming the biometric using parameters set by a user (e.g., derived from a user's password): see Figure 4. This allows one to revoke and create a new template if compromised. Biometric cryptosystems, on the other hand, introduce asymmetry in the authentication process. A cryptographic key is associated with the biometric features to generate the helper or auxiliary data, which reveal no or only miniscule information about the biometric trait or cryptographic key. Recovery of the cryptographic key indicates successful authentication in subsequent attempts (see Figure 5). As these two techniques individually do not satisfy all requirements of an effective template-protection technique, we have proposed a combination.⁸ To further enhance the privacy of biometric cryptosystems, the auxiliary data can be masked using homomorphic encryption that allows certain arithmetic operations in the encrypted domain.⁹

Figure 4. (a) Original fingerprint with minutiae overlaid, (b) mixture of Gaussian-based transformation functions, and (c) transformed minutiae template.⁶

Figure 5. Enrollment and authentication steps in a biometric cryptosystem called the ‘fuzzy commitment scheme.’⁷ XOR: Encryption algorithm.

Despite the advantages of the above template-protection techniques, their adoption has been limited in the biometric industry. This is because the modified template based on the existing schemes increases the authentication error rate and demands more computation during matching, which is further compounded by the lack of standards for defining and storing modified templates. We are continuing to design schemes for effective use of the information content in biometric traits to reduce the authentication error rates, while at the same time improving the security of the template-protection technique itself¹⁰ (e.g., we use both ridge orientation and frequency to improve a fingerprint-based biometric cryptosystem called ‘fuzzy vault’). We are also investigating optimal ways to combine multiple biometric traits (fingerprints and iris scans) securely.¹¹ In addition, we recently proposed a new quantitative measure of irreversibility of the protected templates.¹²

We believe that sustained efforts in designing techniques for template security are essential to streamline the proliferation of convenient and efficient biometric systems in our daily transactions. More secure techniques will alleviate any concerns about the privacy of user data or integrity of the system. This will provide confidence to the developers of biometric technology and to the end-user community in undertaking large-scale deployments.